Cyber Crime

Today, we are at a crossroads on nuclear security and the emerging threats in the form of cyber attacks and nuclear terrorism. Bur, our nuclear plants have failed to add necessary security measures to handle the cyber threats and potential security breaches. Based upon the two latest security reports, we have tried to assess the present day scenario which is too vulnerable.

The nuclear power plants around the world are living in a state of denial about the risks of possible cyber attacks. These highly sensitive facilities have failed to install the necessary security measures to protect their computer networks. Apart from this, 20 countries with nuclear fuel stockpile don’t have any government regulations to install some minimum security steps.

Such sorry state of our nuclear power plants was recently revealed in two different studies conducted by Security Operations Center (SOC) and the Nuclear Threat Initiative (NTI). Let’s tell you more about the situation:

The first report is an audit of Security Operations Center for the US Nuclear Regulatory Commission (NRC). Studying the affairs between 2013 and 2014, it was revealed that during this period the cyber attacks against US nuclear power plants grew with 18%. In the 18-page assessment report, it was highlighted that the computer networks used by NRC pose a real threat due to inadequate security measure. The NRC’s general inspector added that the measures deployed aren’t “optimized to protect the agency’s network in the current cyber threat environment.”

In the past, the sophistication of cyber attacks against nuclear power plants have increased. The hackers have attempted to gain unauthorized access using social engineering, code injection techniques, and other attempts.

It was reported that SOC, the in-charge of security at NRC, does not meet the agency needs and lacks predictive analysis to keep its networks protected.

“20 countries scored a disappointing 0 against theft and sabotage in nuclear power plants”

The second study, conducted by the Nuclear Threat Initiative (NTI), outlines the worldwide situation that reveals the gloomy condition of nuclear power plants. In this study, 47 countries were included — out of these, 24 had weapon-usable nuclear materials and 23 had nuclear facilities but they didn’t produce usable material.

Surprisingly, only 13 countries scored a perfect score of 4 when their preparations against a cyber attack (sabotage and theft) were examined. These countries were Australia, Belarus, Bulgaria, Canada, Finland, France, Hungary, the Netherlands, Russia, Switzerland, Taiwan, the United Kingdom, and the United States.

The Nuclear Threat Initiative publishes this annual index that examines the nuclear security all around the work. The agency also mentions that in the past few years many countries have improved their security measures but it isn’t enough.

Take a look at this year’s NTI security index scores below:

Nuclear power plants are highly sensitive facilities that need the extra layer of security measures. Employing an army of security personnel for security purposes will be useless if these plants are vulnerable to hacking attacks. These reports suggest that immediate steps must be taken regarding this issue in everybody’s best interests.

european-atm-hacker
Romanian law enforcement authorities have arrested eight cyber criminals suspected of being part of an international criminal gang that pilfered cash from ATMs (automatic teller machines) using malware.

The operation said to be one of the first operations of this type in Europe, was conducted in Romania and Moldova by Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), with assistance from Europol, Eurojust and other European law enforcement authorities.

Europol did not provide names of any of the eight criminals arrested but said that the gang allegedly used a piece of malware, dubbed Tyupkin, to conduct what are known as Jackpotting attacks and made millions by infecting ATMs across Europe and beyond.

With the help of Tyupkin malware, the suspects were able to empty cash from infected ATMs by issuing commands through the ATM's pin pad.

"The criminal group was involved in large scale ATM Jackpotting – a term which refers to the use of a Trojan horse, physically launched via an executable file in order to target an ATM," Europol explained in a press release, "thus allowing the attackers to empty the ATM cash cassettes via direct manipulation, using the ATM PIN pad to submit commands to the Trojan."

Tyupkin was first analysed in 2014 by Kaspersky Lab following the request from a financial institution. During the investigation, Kaspersky found the malware threat on more than 50 ATMs in Eastern Europe.

The malware allows its operators to withdraw cash from ATMs without the requirement of any payment card.

Although, Europol did not specify how much money in total the criminal gang was able to plunder, it believed that the gang was able to cause “substantial losses” across Europe and that the losses could be in Millions.

how-to-hack-instagram
Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

Source Code of Instagram website
SSL Certificates and Private Keys for Instagram
Keys used to sign authentication cookies
Personal details of Instagram Users and Employees
Email server credentials
Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.
wesley-weinberg-security-researcher
Remote code execution bug was possible due to two weaknesses:

The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token
The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.

Exposed EVERYTHING including Your Selfies

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram's Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.
Instagram-admin-hacking
Weinberg had inadvertently stumbled upon almost EVERYTHING including:

"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Weinberg wrote in his blog. "With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data."

Weinberg reported his findings to Facebook's security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.

In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.

Stamos "stated that he did not want to have to get Facebook's legal team involved, but that he was not sure if this was something he needed to go to law enforcement over," Weinberg wrote in his blog in a section entitled 'Threats and Intimidation.'

In response, Stamos issued a statement, saying he "did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired."

Stamos said he only told Kaplan to "keep this out of the hands of the lawyers on both sides."

"Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk," Stamos added.

Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

Here's the full statement by Facebook:

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn't pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers' hard work.

A 19-year-old man in Dalian, China has been arrested by the police after he was caught hacking into an airline’s website, stealing booking information from 1.6 million ticket orders, and ripping off hundreds of travelers. Using the information, the teen went on to make hundreds of fraudulent transactions that pocketed him 1.1 million Yuan ($170,000 / €156,000).

The teenager, identified as Zhang from Heilongjiang, north-east China hacked the website of a yet unnamed Chinese airline company by exploiting vulnerabilities in its B2B system. He illegally downloaded 1.6 million passengers booking details such as names, flight details, ID card numbers, email addresses, and mobile phone numbers.

He also used his access to the website to cancel some current bookings, and later, using the stolen information, he sent out groups texts, telling them that the “the plane is out of order and the flight is cancelled”. They needed to pay extra fees if they wanted to rebook. This is how the hacker made his money, by offering a re-booking link that pocketed him re-booking fees.

It took the airline three weeks to notice the data breach. The airline lost more than 80,000 yuan ($12,365 USD) from people demanding a refund.

The hack lasted from July 31 to August 20, and by August 22, the airline announced the breach after several fraud complaints from customers, and also on the same day alerted Guangzhou police.

According to People’s Daily Online, authorities eventually tracked down Zhang and arrested him in Dalian, a city in North China, on November 11. A police officer said the hack was a result of a loophole in the airline’s computer system and was not highly sophisticated.

Hackers steal more than $1.2 million from 17 automated teller machines (ATMs) in Malaysia

A Latin American gang of cyber criminals were able to exploit a way to hack and steal millions of dollars from 17 automated teller machines (ATM) in Malaysia.

ATMs of at least 17 bank branches belonging to United Overseas Bank, Affin Bank, Al Rajhi Bank and Bank of Islam were reportedly hacked into by the Latin American gang.

Closed-circuit television (CCTV) footage from the banks showed that 2-3 Latin American men, who were involved in the crime, entered and withdraw money from these ATM’s one after another.

Bukit Aman Commercial Crime Investigation Department chief Comm Datuk Mortadza Nazarene told Bernama that the suspects used a computer malware known as “ulssm.exe” to hack into the ATMs. “The suspects were found to have opened the top panel of the machine without using a key and inserted a compact disc into the machine’s processing centre which caused the ATM’s system to reboot,” he told Bernama, Tuesday morning, The Star reported.

A Selangor Commercial Crime Investigation Department spokesman said that investigations is still going on. In the meantime police were able to recover one of the ATM cards which was used by the hackers to withdraw the money.

Since it was the ATM which was rebooted to default, no customers data was compromised in the hack, police are investigating the scene and believes the gang members are still in the country.

India’s premier investigating agency, the Central Bureau of Investigation (CBI) today arrested a man for stealing product keys of various Microsoft products and selling them to the unsusupecting customers for a ungainly profit. CBI issued a statement saying that they had arrested a person named D.Prabhu. D.Prabhu is not linked to any hacker groups and is a private individual. CBI says that he was doing the about stealing for his personal profit.

A CBI spokesperson said: “The complaint was lodged by Microsoft. The agency took up the investigation as the alleged offence has larger ramifications.” According to the official, the quantum of loss suffered by Microsoft is yet to be quantified as the thief sold keys of various Microsoft products.

According to CBI, a case has been registered on the allegations that Microsoft Volume License Service Centre (VLSC) agreements in respect of different overseas and Indian customers of the Microsoft were unauthorisedly being accessed aka hacked for the purpose of stealing product keys of different Microsoft products.

CBI also said that searches made at Prabhu’s premises yielded substantial evidence about the theft including recovery of hard disks, a router, a numbers of Microsoft product kits and other documents. The CBI has also frozen the bank account of the accused used to collect the sale amount. The accused was Friday produced before a local court here and the agency obtained transit remand.